CERT-In SBOM Guidelines: How to Achieve Compliance

CERT-In is India’s national cybersecurity agency. Its SBOM guidelines aim to strengthen supply chain security, improve visibility into software components, and ensure faster, standardized responses to vulnerabilities.

Compliance applies to government, public sector, essential services, and software exporters, as well as developers, integrators, and resellers across the software lifecycle.

OPSWAT SBOM helps with the automation and collection of CERT-In SBOM data fields, to provide visibility and transparency across the main areas, from software component details, transparency & risks, and licensing & usage.

• Component Name: Name of the software component or library.
• Component Version: Version number or identifier of the component.
• Component Supplier: Entity providing the component (vendor, third-party, or open-source).
• Component Origin: Source of the component (proprietary, open-source, or third-party).
• Unique Identifier: Distinct code for tracking the component across versions and ownership.
• Author of SBOM Data: Entity responsible for creating the SBOM entry.
• Timestamp: Date and time the SBOM entry was recorded.

• Component Dependencies: Other components or libraries this one relies on.
• Vulnerabilities: Known security issues tied to the component, with severity and CVE references.
• Patch Status: Current update or patch availability for vulnerabilities.
• Checksums or Hashes: Cryptographic values to verify file integrity.
• Executable Property: Whether the component can be executed.
• Archive Property: Whether the component is packaged as an archive file.
• Release Date: Date the component was first released.

Achieving CERT-In compliance is a phased journey that requires coordination across development, security, operations, and compliance teams. Each stakeholder plays a role in creating, maintaining, and sharing SBOMs at different points in the software lifecycle.

The table below, containing content and examples from the CERT-In Technical Guidelines, illustrates how SBOM responsibilities align with common software components:

Identify current practices for software inventory, vulnerability tracking, and vendor-provided SBOMs. Map these against CERT-In’s required data fields and formats.

Define clear roles for developers, IT operations, procurement, security, and compliance teams. Governance ensures SBOMs are consistently created, maintained, and shared across the enterprise.

Automation is crucial. Tools must:

• Generate SBOMs for every new release, patch, or update
• Integrate with DevOps pipelines, source repositories, and container registries
• Output in CycloneDX and SPDX formats for regulatory alignment

Embed SBOM generation at every SDLC stage:

• Design SBOM: planned components
• Source SBOM: development dependencies
• Build SBOM: during compilation
• Analyzed SBOM: post-build inspection
• Deployed SBOM: installed environment
• Runtime SBOM: monitoring active components

Procurement contracts should mandate SBOM delivery from all suppliers.

Establish continuous SBOM updates, integrate with vulnerability advisories like VEX (Vulnerability Exploitability eXchange) and CSAF, and ensure secure storage and sharing through encryption, HTTPS, and digital signatures.

Want to learn how to leverage SBOM for your security strategy?

Selecting the right vendor or solution is critical for both compliance and operational efficiency.

• Support for SPDX and CycloneDX
• Integration with DevOps pipelines and CI/CD workflows
• Ability to generate multiple SBOM levels (design, build, deployed, runtime)
• Audit-ready reporting and secure sharing mechanisms

Selecting the right partners is just as critical as building internal SBOM processes. CIOs and procurement leaders should include CERT-In alignment as part of their RFP and due diligence checklists. Key questions to ask include:

• Do you provide SBOMs in CERT-In–approved formats (SPDX, CycloneDX)?
• How often are your SBOMs updated—at release only, or continuously?
• What automation do you offer for SBOM generation, validation, and secure sharing?
• How do you enforce secure SBOM distribution (e.g., encryption, RBAC, digital signatures)?
• Does your solution integrate with DevOps pipelines, vulnerability databases, and CERT-In advisories?
• How do you support compliance audits and ongoing regulatory reporting?

Asking these questions upfront helps ensure vendors are not only compliant on paper but capable of sustaining SBOM practices that align with CERT-In’s evolving guidelines.

• Start with foundational workflows and expand maturity over time
• Mandate SBOM delivery in all procurement contracts
• Adopt a shift-left approach by integrating SBOM generation early in SDLC
• Train staff on SBOM awareness and regulatory requirements

Even well-intentioned SBOM initiatives can fail if organizations approach them superficially. CERT-In emphasizes that SBOMs must be accurate, comprehensive, and continuously updated. Here are some of the most common pitfalls and how to avoid them:

Maintain complete SBOM repositories, document governance practices, and align with CERT-In audit templates.

OPSWAT SBOM empowers developers by providing an accurate inventory of software components in source code and containers. Stay ahead of attackers, uncover threats, and detect vulnerabilities without impacting development velocity.

Enables software development teams to identify, prioritize, and address open-source dependencies' security vulnerabilities and licensing concerns.

Enables software development teams to identify, prioritize, and address open-source dependencies' security vulnerabilities and licensing concerns.

コンテナイメージを分析し、パッケージ名、バージョン情報、潜在的な脆弱性の SBOM を生成します。

Go beyond SBOM compliance and address advanced, evolving software supply chain attacks.

OPSWAT MetaDefender Software Supply Chain provides expanded visibility and a robust defense against supply chain risks. With our zero-trust threat detection and prevention technologies, your software development lifecycle (SDLC) is secured from malware and vulnerabilities, strengthening application security and compliance adherence.

The combination of 30+ antivirus engines increases detection rates and effectively prevents malware from infecting workstations, containers, or source code.

Proactive DLPTM identifies credentials such as passwords, secrets, tokens, API keys, or other sensitive information left in source code.

コンテナ・イメージの各レイヤーの下に存在するマルウェア、脆弱性、その他の潜在的リスクを評価し、評価する。

チームがソースコードリポジトリ、コンテナレジストリ、バイナリサービス、またはそれらのツールの組み合わせを使用しているかどうかに関わらず、MetaDefender Software Supply Chain SDLC全体を通して安全性を確保するために、一般的なプラットフォームとのネイティブな統合を提供します。

Banks and NBFCs must align SBOM practices with RBI cybersecurity mandates, with stricter audit requirements for sensitive data handling.

Suppliers must deliver SBOMs as part of contracts. Organizations should maintain internal and external SBOM inventories for transparency and risk management.